Sunday, February 20, 2011

This is not what I meant by law firm competitive intelligence


I have long considered, lectured and written about law firm competitive intelligence from the perspective of CI prepared and used in service to the firm’s goals as a business entity. However, CI can also be conducted by law firms and its vendors in service to its clients’ goals. Today’s post addresses that use of CI by law firms.

This post also addresses the counterintelligence challenges of a post-Wikileaks world, where law firms and their vendors can be targeted by disgruntled employees, hackers and social engineers. Today’s professional culture encourages us to communicate via email, texting and social media, which are so familiar we forget they are susceptible to revelation – on purpose and through carelessness, through both legal and illegal means. Even sophisticated people ignore these dangers, as today’s post illustrates.

The events described below read like they were lifted from Stieg Larson’s “The Girl with the Dragon Tattoo” novel series. However, they were all reported during the past two weeks by the Financial Times, The New York Times, The Washington Post, The Observer, American Lawyer Media, Wired, Salon and dozens of other publications, blogs, online chat rooms and message boards.

I apologize if I have failed to insert the word “allegedly” everywhere it should appear in the following severely summarized account. Therefore, I hereby stipulate it has been alleged that …

What has been reported?

Last fall Hunton & Williams invited three data security companies (HBGary Federal, Palantir Technologies and Berico Technologies) to work with the firm to prepare a joint new business pitch for the U.S. Chamber of Commerce, a firm client. This pitch related to some of the Chamber’s political initiatives and investigations and handling of its antagonists.

H&W also invited the same three security companies to help prepare a second new business pitch for Bank of America, also a firm client. This pitch related to a BoA internal investigation into documents that Wikileaks had obtained, possibly from one or more BoA insiders, and threatened to publish on the Internet.

As these events were unfolding, HBGary Federal’s CEO, Aaron Barr, wanted to strengthen his street cred to support the H&W and other business development efforts HBGary Federal was involved in.

Barr was already hanging out online with members of Anonymous, a highly secretive, loose collective of activists and hackers. He believed he could elevate his sleuthing reputation by analyzing information on internet chat logs, Facebook, Twitter and elsewhere to identify Anonymous’s secretive leaders and key players. Barr planned to describe his unmasking methodology in a presentation at a February 2011 security conference and was able to publicize this presentation in a news story published on February 4, 2011, in the Financial Times.

For a day or so after the February 4 Financial Times story came out, Barr and Anonymous traded online insults. Anonymous then retaliated by hitting HBGary Federal’s corporate network, eventually taking down the company’s site, extracting 70,000 emails and publishing them online. To insult Barr further, Anonymous said their takedown team included a 16-year-old girl who had social engineered an HBGary Federal company IT admin into revealing another HBGary Federal admin’s logins and passwords.

Among the thousands of HBGary Federal emails that Anonymous published were those emails HBGary Federal had exchanged with H&W lawyers while the law firm and three data security companies were preparing the Chamber of Commerce and BoA pitches. Anonymous also uploaded the PowerPoint presentations the three security companies had prepared in consultation with H&W for use prior to or during H&W’s pitches.

Those PowerPoint files described the services the three companies would perform, including investigations and possible actions to be taken against lobbying groups, union employees, journalists and others whose allegiances and interests were counter to those of H&W’s clients. Those actions included developing fake personas, preparing and leaking fake information to H&W clients’ adversaries to discredit them, and discouraging commentary by journalists who are “... established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals.”

Where do things stand now?

1. HBGary Federal’s web site is still down.

2. Palantir and Berico have apologized for their involvement in these events and severed all ties with HBGary Federal. Palantir also suspended the 26-year-old engineer who worked on the PowerPoint presentations.

3. The Chamber of Commerce denied hiring any of the three companies or H&W.

4. Bank of America said they have never seen the presentation described in the emails, have never evaluated it, and have no interest in it.

5. H&W has refused to comment.

6. Some of those named as the Chamber’s adversaries in the hacked emails and PowerPoint files have announced their intention to file ethics charges next week with the DC bar association against three of H&W’s lawyers.

Lessons learned?

Whether the activities allegedly contemplated in the HBGary Federal hacked emails and PowerPoint files were competitive intelligence or corporate espionage or worse, they violated the Society of Competitive Intelligence Professionals’ Code of Ethics. As I have said many times before, including here, law firm competitive intelligence workers should all read that brief code of ethics, take its seven elements to heart and agree to abide by it. I now recommend that lawyers do so, too.

These events also have sobering implications for law firms’ own network security challenges. If a data security firm can be hacked and all its emails and attachments posted online, how well would most law firm networks stand up to such an assault? And if the firm’s network were breached in this way, what would be the costs to the firm and its clients and prospects? This law firm counterintelligence challenge requires not only technological safeguards, but also full recognition that lawyers and law firm employees are just as susceptible as anyone else to social engineering.

I have no doubt that everyone associated with this dog’s breakfast wishes it had never happened. Some blame the mess on security carelessness. Others see the leaked emails and PowerPoint files as evidence of ethical lapses and possibly criminal intent.

Optimistically, I view these events as an opportunity to remind ourselves, once again, of the ethical limits of competitive intelligence activities. Above all professions and industries, lawyers and law firms cannot be ignorant of or ignore these ethical limits.

1 comment:

Kirby said...

This is definitely in line with what I posted earlier this morning, although I am not involved in competitive intelligence and my customers are primarily government. Thanks for clarifying for other CI/law firms. My post, if you have not seen it, is here: